Cookies 'NET Security

1
Cookies.NETSecurity

• Summer 2006 CS795/895Hadi Arbabi

2
Maintaining State Information

• Query strings Are visible to the user, should
  not contain secure information
• View state ViewState property as hidden fields
  on page
• Session state Local to current session (single
  user)
• Application state Available to all users of
  application
• Cookies Store small amount of information on a
  client (if not refused)

3
What Are Cookies?

• A cookie is a small bit of text that accompanies
  requests and pages as they go between the Web
  server and browser.
• The cookie contains information the application
  can read whenever the user visits the site .
• Cookies are normally written to the user's disk.
• The Browser looks on the local hard disk for a
  cookie associated with the URL. If the cookie
  exists, the browser sends the cookie to your site
  along with the page request.
• Cookies are used for all sorts of purposes, all
  relating to helping the Web site remember you.

4
Properties

• Cookies are associated with a Web site, not with
  a specific page.
• As the user visits different sites, each site
  might send a cookie to the user's browser as
  well.
• The browser stores all the cookies separately.
• Most browsers support cookies of up to 4096
  bytes.
• Most browsers allow only 20 cookies per site if
  you try to store more, the oldest cookies are
  discarded.
• Cookies are stored by Name, so if you create two
  cookies with the same name, one overwrites the
  other.
• Different browsers store cookies in different
  ways.
• Cookies are case sensitive.

5
Properties

• IE5 and higher store cookies in this way
  C\Documents and Settings\ltusergt\Cookies\ltusergt_at_ltd
  omaingt.txtNOTE You can open the cookie with a
  text editor. If the file contains multiple
  cookies, they are separated with an asterisk ().
  The first line of each cookie is its name, and
  the second has the values. The remaining lines
  have cookie housekeeping information such as the
  expiration date and time. There is also a simple
  checksum in the cookie if you change the length
  of the cookie name or value, the browser will
  detect the tampering and will discard the cookie.

6
Approaches

• Two approaches when storing and retrieving user
  information
• through cookies
• 1. Store all the user information as a cookie on
  the clients computer
• It is useful when user information is simple and
  is not required on the
• server for any tasks.
• 2. Store an identification key on clients
  machine, and then retrieve user
• information from a data source on the server
  using that identification key
• It is the best for storing more extensive
  information.

7
HttpCookie Class in .NET

• Public Properties

8
Using Cookies

• Users can set their browser to refuse
  cookies.The application should not depend on
  being able to store cookies.Use cookies for
  nice-to-have features do not use them to support
  critical features.
• Cprivate void Function(.)
• // If the browser supports cookies
• if(Request.Browser.Cookies)
• // Create a cookie HttpCookie myCookie
  new HttpCookie(MyCookie)
• cookie.Value This is value of
  my cookie // Add the cookie
  Response.Cookies.Add(myCookie)

9
Creating Cookie

• Steps to store a cookie
• Check whether the client supports cookies by
  using the Browser objects Cookies property.
• If so, check whether the cookie already exists by
  using the Request objects Cookies collection.
• If not, create a new cookie object using the
  HttpCookie class.
• Set the cookie objects Value and Expiration
  properties.
• Add the cookie object to Response objects
  Cookies collection.

10
Code C

• private void Page_Load(object sender,
  System.EventArgs e)
• if(Request.Browser.Cookies)
• if(Request.CookiesMyCookie
  null)
• HttpCookie myCookie new
  HttpCookie(MyCookie)
• myCookie.Value This is
  my cookie value
• myCookie.Expires
  DataTime.Now.AddDays(5)
• Response.Cookies.Add(myCook
  ie)
• else
• HttpCookie myCookie
  Request.CookiesMyCookie
• myCookie.Value Set the
  value
• myCookie.Expires
  DataTime.Now.AddDays(5)
• else
• // SHOW MESSAGE THE BROWSER DOES NOT ACCEPT
  COOKIES. (ALERT).

11
Expiration?!!!

• If you do not set the cookie's expiration, the
  cookie is created but it is not stored on the
  user's hard disk. Instead, the cookie is
  maintained as part of the user's session
  information.
• When the user closes the browser or if the
  session times out, the cookie is discarded.
• A non-persistent cookie like this is handy for
  information that needs to be stored for only a
  short time or that for security reasons should
  not be written to disk on the client computer.
  For example, non-persistent cookies are useful
  if the user is working on a public computer,
  where you do not want to write the cookie to
  disk.
• So Expires property determines when the clients
  machine can discard the cookie.
• Setting Expires to the DateTime.MaxValue means
  that the cookie never expires.Response.Cookies
  MyCookie.Expires DateTime.MaxValue
• Resetting the Expires property to the current
  time or the past time removes the cookies form
  clients machine.Response.CookiesMyCookie.Ex
  pires DateTime.Now

12
Using Keys, Multi-Valued Cookies

• private void SetKeys(.)
• HttpCookie cuky new HttpCookie(UserInfo)
• cukyFirstName firstname
• cukyLastName lastname
• cukyTeltel
• cuky.Expires DateTime.Now.AddDays(30)
• Response.Cookies.Add(cuky)
• private void ReadKeys()
• HttpCookie cuky Request.CookiesUserInfo
• firstname cukyFirstName
• lastname cukyLastName
• tel cukyTel
• .
• .

13
Storing User Information on the Server

• 1. Create a unique key to identify the user.
• 2. Save the unique key as a cookie on the users
  computer.
• 3. Create a file on the server to store user
  information.
• 4. Save the user information on the server using
  the unique key as an index.
• System.Guid.NewGuid().ToString()

14
Security

• You should never store secrets in a cookie no
  user names, no passwords, no credit card numbers,
  and so on.
• Do not put anything in a cookie that should not
  be in the hands of a user or of someone who might
  somehow steal the cookie.
• Similarly, be suspicious of information you get
  out of a cookie. Do not assume that the data is
  the same as when you wrote it out.
• Limit the scope of cookies to a folder on the
  server, which in practical terms allows you to
  limit cookies to an application on the
  site. Response.Cookiesdomain1.Path
  /Application1
• Set scope to a domain, which allows you to
  specify which subdomains in a domain can access a
  cookie. Response.Cookiesdomain1.Domain
  hadi.arbabi.com
• Set appropriate expiration date and time for
  cookies.

15
Security

• You can set a cookie property that causes the
  cookie to be transmitted only if the connection
  uses the Secure Sockets Layer (SSL, gtgt https//).
• If(myCookie.Secure)
• .
• If you do want to store sensitive information
  such as a user ID in a cookie, you can encrypt
  the cookie.
• Use HTTP-only Cookies.
• NOTE To mitigate the risk of information
  disclosure with a cross-site scripting attack, a
  new attribute is introduced to cookies for
  Internet Explorer 6SP1. This attribute specifies
  that a cookie is not accessible through script.
  By using HTTP-only cookies, a Web site eliminates
  the possibility that sensitive information
  contained in the cookie can be sent to a hacker's
  computer or Web site with script. If a Web site
  sets an HTTP-only cookie on a browser that does
  not support HTTP-only cookies, the cookie is
  either ignored or downgradedto a traditional,
  scriptable cookies.

16
References

• BookDeveloping WEB APPLICATIONS with Microsoft
  Visual C.NET Published by Microsoft Press
  (MCAD/MCSD)
• Web LibrariesMicrosoft Developer Network
  -HttpCookies -Cookies in .NET -State
  Management in ASP.NET